Security & compliance

Trust Center

Enterprise buyers start with security review. Everything below is what our CISO tells yours — how tenant data is encrypted, isolated, recovered, and processed. Compliance reports (SOC 2 Type 2, ISO 27001, pen test executive summaries, SIG Lite, CAIQ, HECVAT) are available under NDA from the document library.

Compliance document library Subprocessors Status

Encryption

AES-256 at rest, TLS 1.3 in transit, HSTS preloaded.

All tenant data encrypted at rest with AES-256 (AWS KMS envelope encryption).
All connections use TLS 1.3; weak cipher suites disabled. HSTS preloaded with 1-year max-age.
Backups and database replicas inherit the same encryption policy as primary storage.
Customer-managed keys (CMK / BYOK) available on the Enterprise plan.

Key management

KMS-backed keys, automated rotation, dual control on master keys.

Tenant-level data keys derived from AWS KMS customer master keys.
Automatic yearly rotation; forced rotation on personnel change.
Dual-control (two-person rule) on any production KMS policy change.
All key usage logged to a write-once audit sink; deviations paged 24×7.

Tenant isolation

Row-level + schema-level isolation with a single enforcement path.

Every tenant-scoped query is routed through withTenant(tenantId, cb) — the only supported path to tenant data.
Cross-tenant queries are restricted to Owner-level or background-worker contexts, and audited.
Storage buckets and Redis prefixes namespaced per tenant.
Penetration tests verify isolation annually and after material schema changes.

Secure development lifecycle

Design review, threat modeling, SAST/DAST, signed builds.

Threat modeling on every new feature; CISO sign-off on high-risk surfaces.
Mandatory peer review + automated SAST (Semgrep), dependency scans (Snyk), and secret detection on every commit.
Production builds are reproducible and signed; artefact provenance (SLSA level 2) recorded.
Quarterly DAST scans against staging; critical findings block release.

Incident response

24×7 on-call, 1-hour severity-1 response, public timeline.

Severity-1 response target: acknowledge within 1 hour, engineering engaged within 2 hours.
Customer notification within 72 hours of confirmed data-affecting incident (GDPR Article 33 aligned).
Blameless post-mortems published within 10 business days.
Tabletop exercises run quarterly with engineering, support, and legal.

Business continuity & DR

RPO 1h, RTO 4h, multi-AZ primary, cross-region DR.

Recovery Point Objective (RPO): 1 hour — continuous WAL shipping.
Recovery Time Objective (RTO): 4 hours for total region loss.
Primary runs multi-AZ; DR replica in a separate AWS region, tested semi-annually.
Runbooks and restore drills verified with an independent observer each cycle.

Sub-processors

Transparent list, 30-day change notice, contractual flow-downs.

All sub-processors listed on our live subprocessors page.
Change notifications broadcast via RSS + email at least 30 days before a new processor goes live.
Contractual flow-downs ensure sub-processors meet the same security + privacy obligations we commit to you.
Annual reviews against SOC 2 / ISO 27001 reports; findings trigger remediation or replacement.

Data residency

Choose region at tenant creation — US, EU, AU, UAE, UK, CA.

Tenant data is pinned to the region selected at creation; no silent migration.
EU tenants stay within EEA boundaries (Frankfurt primary, Dublin DR).
UAE + AU regions available for regulated workloads with local-law requirements.
Support + telemetry metadata follow the same regional constraints; sales/marketing telemetry is regionally segmented.

Responsible disclosure

Found a vulnerability? Email anil@heftyinnovations.com or read our disclosure policy. We respond within 2 business days and do not pursue good-faith researchers.

Machine-readable contact: /.well-known/security.txt